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APPEAL BRIEF 

Dear Sir: 

Pursuant to 37 C.F.R. 41.37 and further to the Notice of Appeal filed November 
13, 2006 in the above-captioned matter, the Appellant submits this Appeal Brief and the 
accompanying fee as set forth in 37 C.F.R. 41.20(b)(2). 

(1^ Real Party in Interest 

The subject application is owned by Cisco Technology, Inc., having a place of 
business at 170 West Tasman Drive, San Jose, California 95134-1706. The assignment 
was recorded in the U.S.P.T.O. on February 15, 2006, under Reel 017164, Frame 0886. 



(2^ Related Appeals and Interferences 

None. 
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(3) Status of Claims 

This application contains claims 1-8, 10, 11, 13-16, 20, 33, 35 and 46-69. Claims 
1-8, 10, 11, 13-16, 20, 33, 35 and 46-69 were finally rejected in an Official Action dated 
July 17, 2006 (hereinafter referred to simply as the Official Action). The final rejection 
was maintained in an Advisory Action dated October 24, 2006. 

The status of claim 55 is unclear: In the Office Action Summary (page 1 of the 
Official Action), the Examiner listed claim 55 as objected to, rather than rejected, and 
indicated (page 9 of the Official Action) that this claim recites allowable subject matter. 
On the other hand, claim 55 is included in the group of claims rejected under 35 U.S.C. 
103(a) (page 2 in the Official Action) and in the list of rejected claims in the Advisory 
Action. The Examiner gave no specific grounds for the rejection of claim 55. 

On November 13, 2006, Appellant appealed from the rejection of claims 1-8, 10, 
11, 13-16, 20, 33,35 and 46-69. 

(4) Status of Amendments 

No amendments have been made since the final rejection in the Official Action. 

(5) Summary of Claimed Subject Matter 

Appellant's invention, as recited in independent claims 1, 46, 49, 56 and 66, 
provides methods, network elements and systems for responding to and protecting 
against an overload condition on a network. 

Claim 1 recites a method of responding to an overload condition at a "victim" 
network element in a set of one or more potential victims on a network. The method 
includes the following steps: 

(A) A first set of one or more network elements external to the set of victims is 
used to initiate diversion of traffic destined for the victim, in response to an indication 
of an anomalous traffic condition. The network elements in the first set divert the traffic 
to a second set of one or more network elements external to the set of potential victims. 
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This sort of operation is described (with reference to Figure 1) in paragraph 0248, for 
example: Routers R0-R8 selectively divert traffic destined for a victim HO to guards GO- 
GS when the victim comes under an anomalous traffic condition. (Paragraph numbers 
refer to the published version of the present patent application, US 2002/0083 175.) 

(B) The elements in the second set filter the diverted traffic and selectively pass a 
portion thereof to the victim. As explained in paragraph 0301, for example, each guard 
machine "sieves out the malicious (or excessive) traffic, forwarding to the 
corresponding victim legitimate traffic at a rate it (the victim) can sustain." As noted in 
paragraph 0248, "Following filtering and/or at least partial processing of the diverted 
traffic, some or all of it (e.g., non-malicious packets. . .) may be directed from the guards 
to the victim HO)." 

Claim 46 recites a network element for use in protecting against an overload 
condition on a network. The network element includes the following functional 
components, which may be taken to correspond to elements of the guard machines that 
are shown in Figures 2 and 3 : 

(A) An input receives traffic diverted from the network, as represented by the 
"From Border" arrow in Figure 2. As noted in paragraph 0293, the traffic comprises 
flows/packets originating from certain IP addresses, i.e., source addresses. 

(B) A statistics module performs a statistical analysis of the diverted traffic so as 
to detect an anomalous pattern of a flow associated with at least one source address. 
This module corresponds to "statistical engine 16" in Figure 2, which "singles out flows 
or aggregates of flows (. . . identified by. . . the IP addresses. . .) with irregular/suspicious 
behavior" (paragraph 0295). 

(C) A filter blocks at least a portion of the data packets having the at least one 
source address, responsively to detection of the anomalous pattern. This filter 
corresponds to "filter function 12" in Figure 2, which (as explained in paragraph 0293) 
"blocks packets originating from IP addresses... that were suspected as being a source 
of malicious traffic..." "The filter-rules are placed in the filter... dynamically by the 
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management of the guard in response to indications received from the statistical 
engine." 

(D) An output, as represented by the "Back to Border Router" arrow in Figure 2, 
selectively passes on traffic not blocked by the filter. As noted in paragraph 0248, 
"Following filtering and/or at least partial processing of the diverted traffic, some or all 
of it (e.g., non-malicious packets. . .) may be directed from the guards to the victim HO." 

Claim 49 recites a system for use in protecting against an overload condition on a 
network. The components of the system, which may be taken to correspond to elements 
shown in Figure 1, comprise: 

(A) One or more network elements ("guards"), shown in Figure 1 as G0-G3. 
Each guard comprises the following components, which may be taken to correspond to 
elements shown in Figure 2: 

(1) An input for receiving traffic from the network, as represented by the 
"From Border" arrow in Figure 2. 

(2) A filter coupled to the input, which selectively blocks traffic that 
originated from a source suspected of causing the overload condition. This filter 
corresponds to "filter function 12" in Figure 2, which (as explained in paragraph 
0293) "blocks packets originating from IP addresses... that were suspected as 
being a source of malicious traffic. . ." 

(3) A statistics module that identifies the traffic statistically indicative of 
having originated from the source suspected of causing the overload condition. 
This module corresponds to "statistical engine 16" in Figure 2, which "singles out 
flows or aggregates of flows (... identified by... the IP addresses...) with 
irregular/suspicious behavior" (paragraph 0295). 

(4) An output, as represented by the "Back to Border Router" arrow in 
Figure 2, which selectively passes on to further elements in the network traffic not 
blocked by the filter. As noted in paragraph 0248, "Following filtering and/or at 
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least partial processing of the diverted traffic, some or all of it (e.g., non-malicious 
packets. . .) may be directed from the guards to the victim HO." 
(B) One or more further network elements ("diverters"), shown in Figure 1 as 
"routers" R0-R8 (paragraph 0247). The routers communicate with the guards and 
selectively initiate diversion of traffic otherwise destined for a "victim" to at least one of 
the guards in response to detection of an anomalous traffic condition. This sort of 
operation is described (with reference to Figure 1) in paragraph 0248, for example: 
Routers R0-R8 selectively divert traffic destined for a victim HO to guards G0-G3 when 
the victim comes under an anomalous traffic condition. 

Claim 56 recites a method of responding to an overload condition at a "victim" 
network element in a set of one or more potential victims on a network. The method 
includes the following steps: 

(A) Traffic destined for the victim is diverted to a guard machine. This sort of 
operation is described (with reference to Figure 1) in paragraph 0248, for example: 
Routers R0-R8 selectively divert traffic destined for a victim HO to guards G0-G3 . As 
noted in paragraph 0293, the traffic comprises flows/packets originating from certain IP 
addresses, i.e., source addresses. 

(B) A statistical analysis of the diverted traffic is performed at the guard machine 
so as to detect an anomalous pattern of a flow associated with at least one of the source 
addresses. This step is performed, for example, by "statistical engine 16" in the guard 
machine that is shown in Figure 2, which "singles out flows or aggregates of flows (. . . 
identified by... the IP addresses...) with irregular/suspicious behavior" (paragraph 
0295). 

(C) Responsively to detecting the anomalous pattern, at least a portion of the 
packets having the at least one source address that is associated with the anomalous 
flow pattern are prevented from reaching the victim, while at least some of the packets 
from other source addresses are passed to the victim. This step is performed, for 
example, by "filter function 12" of the guard machine shown in Figure 2, which (as 
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explained in paragraph 0293) "blocks packets originating from IP addresses. . . that were 
suspected as being a source of malicious traffic..." "The filter-rules are placed in the 
filter. . . dynamically by the management of the guard in response to indications received 
from the statistical engine." As noted in paragraph 0248, "Following filtering and/or at 
least partial processing of the diverted traffic, some or all of it (e.g., non-malicious 
packets. . .) may be directed from the guards to the victim HO." 

Claim 66 recites a method of responding to an overload condition at a "victim" 
network element in a set of one or more potential victims on a network. The method 
includes the following steps: 

(A) The victim is coupled to receive traffic from the network via a first port of a 
network switch. This arrangement is shown in Figure 1, in which victims H0-H4 are 
connected to routers (i.e., network switches) R6, R4, R0 and R8. Connection of the 
victims to the routers is described in paragraph 0248. 

(B) The network switch is actuated to divert the traffic that is destined for the 
victim to a second port to which a guard machine is coupled. It can be seen in Figure 1 
that guard machine G2 is coupled directly to adjacent router R6 (to which victim HO is 
also directly coupled), while other guard machines are remotely coupled to routers R4, 
R0 and R8 via other routers in the network. Actuation of the routers to divert traffic in 
this manner to either adjacent or remote guard machines is described in paragraphs 
0248-0250. 

(C) The diverted traffic is filtered using the guard machine. This step is 
performed, for example, by "filter function 12" of the guard machine shown in Figure 2. 

(D) At least a portion of the filtered traffic is passed selectively from the guard 
machine to the victim, as described in paragraph 0248: "Following filtering and/or at 
least partial processing of the diverted traffic, some or all of it (e.g., non-malicious 
packets. . .) may be directed from the guards to the victim HO." 
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(6^ Grounds of Rejection to be Reviewed on Appeal 

Claims 1-8, 10, 11, 13-16, 20, 33, 35 and 46-69 were rejected under 35 U.S.C. 
103(a) over Jungck (U.S. Patent 6,829,654) in view of Davies (U.S. Patent 6,901,053). 
Appellant believes this rejection should be reversed. 

(7^ Argument 

Rejection of Claims 1-8, 10, 11, 13-16, 20, 33, 35 and 46-69 under 35 U.S.C. 103(a) 
over Jungck (U.S. Patent 6.829.654) in view of Davies (U.S. Patent 6.901.053) 

I. Independent Claim 1, and Dependent Claims 2, 4-6, 10-11, 13-14, 33 

Appellant respectfully submits that the Examiner erred in maintaining that claim 
1 is obvious over Jungck in view of Davies. 

Jungck describes apparatus and methods for enhancing network infrastructure 
using edge servers and edge caches. The edge servers may also be used to detect 
malicious or otherwise unauthorized data transmissions (abstract). The edge server 
includes a request interceptor, a request filter and a request transmitter (col. 1, line 62 - 
col. 2, line 9). The edge server can also monitor data transmission generated by clients 
for malicious program code (col. 28, lines 51-57) and can identify the originating client 
in a DDOS attack (col. 29, lines 3-7). 

Davies describes a priority routing service using an "express route" between 
network elements. Elements at each end of the express route divert packets transmitted 
between a certain user and a customer along the express route in order to avoid network 
bottlenecks (abstract). The express route comprises reserved or dedicated bandwidths 
on specific paths or connections (col. 3, lines 46-47). To determine the express routes, 
carrier nodes or elements where customer traffic is concentrated are identified by 
analyzing typical traffic levels on various links within the network. The network 
elements at either end of the selected express route are modified to provide the desired 
traffic routing (col. 5, lines 43-56, cited by the Examiner). This express route technique 
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allows a carrier to offer an enhanced service to particular customers for receiving and/or 
transmitting data traffic to or from any source or destination (col. 4, lines 62-65). 

Claim 1 recites a method of responding to an overload condition, in which 
diversion of traffic by a first set of network elements is initiated in response to an 
indication of an anomalous traffic condition . The network elements in the first set 
divert traffic destined for a victim to a second set of network elements, which filter the 
diverted traffic and selectively pass a portion of the traffic to the victim. In rejecting 
claim 1 , the Examiner acknowledged that Jungck does not teach initiating diversion of 
traffic due to an indication of an anomalous traffic condition (page 3, lines 2-3, in the 
Official Action). The Examiner maintained, however, that this teaching is supplied by 
Davies. 

' ' Anomalous " is used in claim 1, as well as in the specification of the present 
patent application, in accordance with its common, dictionary meaning: abnormal , or 
irregular (Webster s Third New International Dictionary). The specification makes clear 
that this is the intended meaning of the term "anomalous" in the context of the present 
patent application: 

"When a potential victim... comes under an anomalous traffic condition, 

however (e.g., as caused by a DDoS attack or flash crowd) the routers... 

selectively divert traffic destined for that victim. . ." (paragraph 0248). 
In other words, a malicious attack is characterized by traffic conditions that differ from 
the norm. When such abnormal, i.e., anomalous, conditions are encountered, diversion 
is initiated as recited in claim 1 . 

Davies teaches the diametric opposite of claim 1 . Davies determines links for 
his express routes based explicitly on " typical traffic levels" (col. 5, lines 48-51, in the 
passage cited by the Examiner), meaning the regular (Webster s Third New International 
Dictionary) or normal (Webster s New World Dictionary) traffic levels. Contrary to the 
Examiner's assertion, Davies neither teaches nor suggests any use whatsoever for 
indications of anomalous traffic conditions, let alone initiating diversion in response to 
such an indication. Thus, even if a person of ordinary skill in the art were somehow 



8 



Appeal Brief in re: Afek et al., 
U.S. Pat. App. Ser. No. 09/929,877 

motivated to interpolate Davies 's traffic diversion feature into Jungck's system, that 
person still would not have initiated traffic diversion in response to anomalous traffic 
conditions as required by claim 1 . 

Furthermore, even if it were conceded, for the sake of argument, that Davies 
might suggest initiating diversion in response to an anomalous traffic condition, there is 
no teaching or suggestion in either Jungck or Davies of diverting traffic by a first set of 
network elements to a second set of network elements, which then filter the traffic , as 
recited in claim 1 . The arrangement recited in claim 1 is advantageous in maximizing 
network throughput under both normal conditions and in the presence of an attack. 

By contrast, as shown by Jungck in Fig. 6, edge servers 602 comprise both the 
request interceptor 608 and the request filter 606. Although the edge server may 
redirect certain requests to an edge cache 604, the filtering function is performed not by 
the edge cache, but rather within the edge server itself. Furthermore, "the request filter 
606 pre-filters traffic before receipt by the request interceptor 608" (col. 29, lines 22-23, 
emphasis added). In other words, not only are the filtering and diversion carried out by 
the same network element in Jungck, but their order of operation is opposite to that 
recited in claim 1 . Davies likewise uses a filter for purposes of diversion (Fig. 2), rather 
than diverting traffic to another network element for filtering as in claim 1 . 

Thus, the Examiner has failed to make a prima facie case of obviousness against 
claim 1 . The cited art neither teaches nor suggests using one set of network elements to 
divert traffic to a second set of network elements for filtering, nor does it teach or 
suggest initiating such diversion in response to an anomalous traffic condition. 
Therefore, claim 1 is patentable over the cited art. 

//. Independent Claims 46 and 56, and Dependent Claims 48, 58, 61 and 64 

Appellant respectfully submits that the Examiner erred in maintaining that 

claims 46 and 56 are obvious over Jungck in view of Davies. 

Claim 46 recites a network element for use in protecting against an overload 

condition. The network element comprises an input, a filter for blocking traffic 
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originating from a suspect source, a statistics module, and an output. The statistics 
module performs a statistical analysis of diverted traffic so as to detect an anomalous 
pattern of a flow associated with at least one source address . The filter blocks at least a 
portion of the data packets having such a source address. 

In rejecting this claim, the Examiner acknowledged that Jungck does not teach a 
statistics module that detects an anomalous flow pattern associated with at least one 
source address, but again maintained that Davies supplies the missing teaching. The 
Examiner referred in this regard to Fig. 3, without explaining how this figure provides 
the teachings missing from Jungck. Davies, however, makes no mention at all of a 
statistics module. The only step in Fig. 3 that might suggest statistical analysis and a 
source address is "Monitor traffic to determine typical source/ destination 
distribution " (emphasis added). 

As explained above in reference to claim 1, however, determining typical (i.e., 
normal, regular) traffic levels or distribution is the opposite of the function of the 
statistics module that is recited in claim 46: detecting anomalous (abnormal, irregular) 
flow patterns. Davies neither teaches nor suggests detecting anomalous flow patterns. 
(On the contrary, if Davies were to measure abnormal flow patterns, rather than 
"typical" traffic distributions, his express routes would work badly, if at all.) Thus, even 
if Davies might be taken to suggest a "statistics module," the purpose and function of 
such a module in Davies would be entirely different from that recited in claim 46. 

Claim 56 recites a method for responding to an overload condition, including 
diverting traffic and performing a statistical analysis of the diverted traffic so as to 
detect an anomalous pattern of a flow associated with at least one source address. As 
explained above in reference to claim 46, neither Jungck nor Davies teaches this sort of 
statistical analysis. 

Thus, the Examiner has failed to make a prima facie case of obviousness against 
claims 46 and 56. These claims are therefore patentable over the cited art. 
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Independent Claim 49 and Dependent Claim 52 

Appellant respectfully submits that the Examiner erred in maintaining that claim 
49 is obvious over Jungck in view of Davies. 

Claim 49 recites a system for use in protecting against an overload condition on 
a network. The system comprises one or more "guards," which comprise an input, a 
filter for selectively blocking traffic originating from a suspect source, a statistics 
module, and an output. One or more "diverters" selectively initiate diversion to the 
guards of traffic otherwise destined for a victim responsively to detection of an 
anomalous traffic condition. 

In rejecting this claim, the Examiner acknowledged that Jungck does not teach 
diversion of traffic due to an indication of an anomalous traffic condition, but again 
maintained that the missing teaching is supplied by Davies. As explained above in 
reference to claim 1 , however, Davies diverts traffic based solely on typical traffic levels 
or distributions. He neither teaches nor suggests any use whatsoever for detection of 
anomalous traffic conditions, let alone initiating diversion in response to such detection. 
Thus, even if a person of ordinary skill in the art were somehow motivated to interpolate 
Davies's traffic diversion feature into Jungck's system, that person still would not have 
initiated traffic diversion in response to detection on anomalous traffic conditions as 
required by claim 49. 

Furthermore, neither Jungck nor Davies teaches or suggests a statistics module 
that identifies traffic statistically as having originated from a suspect source, as recited 
in claim 49. The passages in Jungck that the Examiner cited as purportedly teaching 
this sort of module (col. 27, lines 4-46, and col. 29, lines 22-64) relate to a deterministic 
filtering function: If the packet originated upstream from the edge server, it is 
considered suspect and is therefore eradicated (col. 29, lines 38-39). Statistical 
indications play no part at all in the decision. Although the Examiner maintained in 
regard to claim 46 that Davies teaches a statistics module, Davies measures only 
"typical source/destination distribution," as explained above, and makes no suggestion 
of identifying traffic statistically as having originated from a suspect source. 
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Thus, the Examiner has failed to make a prima facie case of obviousness against 
claim 49. The cited art does not teach or suggest either diverting traffic in response to 
detection of anomalous traffic conditions or identifying traffic statistically as having 
originated from a suspect source. Therefore, claim 49 is patentable over the cited art. 

IV Independent Claim 66, and Dependent Claims 67 and 69 

Appellant respectfully submits that the Examiner erred in maintaining that claim 
66 is obvious over Jungck in view of Davies. 

Claim 66 recites a method of responding to an overload condition at a victim 
network element. The victim is coupled to receive traffic from a network via a first port 
of a network switch. The network switch is actuated to divert the traffic destined for the 
victim to a second port, to which a guard machine is coupled. The guard machine filters 
the diverted traffic and selectively passes at least a portion of the filtered traffic to the 
victim. 

The Examiner gave no reason for the rejection of claim 66, other than the 
blanket statement that this claim "contain[s] the same language of the claims already 
discussed above" and is "therefore... rejected under the same rationale" (page 9, fourth 
paragraph, in the Official Action). In fact, none of the claims discussed previously by 
the Examiner makes any reference at all to a network switch, let alone to the use of such 
a switch to divert traffic to a guard machine in the manner recited in claim 66. 

Neither Jungck nor Davies teaches or suggests using a network switch to 
perform this sort of diversion. As shown in Jungck's Figs. 6 and 6A, for example, the 
functions of request filtering, interception, and proxy server are all carried out within 
the edge server. The edge servers always transmit traffic to the subscribing servers 
through the same ports. Jungck neither teaches nor suggests that such traffic might be 
diverted to a guard machine on a different port, for filtering and selective transmission 
to a victim, as required by claim 66. When Jungck's edge servers do hand requests off 
to an edge cache 604, the edge cache satisfies the request itself. The edge cache does 
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not filter and pass the request on to the subscribing server (col. 29, lines 46-50), as 
would be required by the method of claim 66. 

Thus, the Examiner has failed to make a prima facie case of obviousness against 
claim 66. This claim is therefore patentable over the cited art. 

There is one other claim that recites the use of a network switch to route traffic 
destined for a victim to a second port for processing by another network element: 
dependent claim 55, which the Examiner found to recite allowable subject matter . The 
Examiner gave no explanation as to why the same subject matter would be allowable in 
claim 55 but rejected in claim 66. Applicant respectfully submits that this subject 
matter is patentable in both of claims 55 and 66. 

V. Dependent Claim 3 

Appellant respectfully submits that even if claim 1 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 3 . 

Claim 3 depends from claim 1, and adds the limitation that the filtering step 
includes detecting any of a traffic pattern that differs from an expected pattern and a 
traffic volume that differs from an expected volume in a way that is statistically 
significant. In rejecting this claim, the Examiner stated that Jungck teaches this 
limitation in relation to DDoS attacks in col. 28, line 40 - col. 29, line 10. The cited 
passage, however, has nothing to do with detecting statistically-significant features of 
traffic patterns or traffic volumes. Rather, Jungck detects attacks in the conventional 
way, on a packet-by-packet basis, by monitoring packets for malicious program code 
(col. 28, lines 53-57) or a forged origin address (col. 28, lines 57-62). Jungck neither 
teaches nor suggests detecting a traffic pattern or volume, and thus says nothing about 
whether variations of the traffic pattern or volume are statistically significant, as recited 
in claim 3 . 

In relation to certain independent claims in this application, as noted above, the 
Examiner maintained that Davies teaches a statistics module. Even granting, for the 
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sake of argument, that Davies might gather traffic statistics, however, the stated purpose 
of these statistics is to determine typical traffic characteristics (as explained above in 
section II). Davies makes no suggestion of detecting statistically- significant variations 
in traffic patterns or volume. 

Claim 3 is thus independently patentable over the cited art. 

VI Dependent Claim 7 

Appellant respectfully submits that even if claim 1 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 7. 

Claim 7 depends from claim 6, which depends from claim 1, and adds the 
limitation that the filtering step includes discarding traffic not requiring a selected 
service from the victim. Examples of this sort of function are described in paragraph 
0021 of the present patent application: passing customer orders to the victim while 
discarding UDP and ICMP packets, or passing mail or IRC packets while discarding 
other packets. 

In rejecting this clam, the Examiner maintained that Jungck teaches the limitations 
of the claim in col. 29, lines 22-64. The cited passage, however, refers to determining 
whether the request filter 606 in the edge server 602 should pass certain requests to the 
edge cache 604 (lines 46-48). If the edge cache is not able to handle the request (lines 
50-55) or is not associated with a subscribing server (lines 25-27), the request filter 
simply passes the traffic through to another destination (lines 27-29 and 53-55). The 
only condition under which packets might be discarded is if the packets did not 
originate from an affiliated POP (lines 31-39). Jungck neither teaches nor suggests 
discarding traffic that do not require a selected service, as recited in claim 7 . Davies 
does not describe any sort of intentional discard mechanism, let alone a mechanism 
based on a selected service. 

Therefore, claim 7 is independently patentable over the cited art. 
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VII Dependent Claim 8 

Appellant respectfully submits that even if claim 7 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 8. This claim depends from claim 7 and adds the limitation that the filtering 
step includes discarding any of UDP and ICMP traffic. Neither Jungck nor Davies 
makes the slightest mention of either of these protocols . 

In rejecting claim 8, the Examiner asserted that Jungck teaches the limitations of 
this claim in col. 28, lines 40-46, and col. 31, lines 1-20. The cited passage in col. 28 
refers to intercepting traffic having the IP address of a subscribing server, in order to 
perform value-added services, which may include eradicating forged packets (col. 28, 
lines 57-62). The cited passage in col. 31 refers to eradicating packets containing 
unauthorized or malicious program code (lines 15-20) in DNS-based attacks. 

Since Jungck makes no mention of either UDP or ICMP, the Examiner's position 
appears to be that any sort of IP packet discard mechanism necessarily includes filtering 
out and discarding UDP and ICMP traffic (or evidently, any other protocol that might be 
carried over IP). The only possible support for this sort of protocol-specific packet 
discard, however, is impermissible hindsight from the present patent application . 
Jungck's packet discard criteria are based solely on the source address or malicious 
program content of the packets. Jungck makes no suggestion that the protocol might be 
a criterion for packet discard, let alone the specific protocols of UDP and ICMP. 

Therefore, claim 8 is independently patentable over the cited art. 

VIII Dependent Claim 15 

Appellant respectfully submits that even if claim 1 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 15. 

Claim 15 depends from claim 10, which depends from claim 1, and adds the 
limitation that first and second addresses are associated with the victim. Traffic directed 
to the first address is discarded if it was received external to an area defined by the 
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points at which the first set of network elements (the traffic diverters) are operated. 
Traffic directed to the second address, however, is passed to the victim. This "double 
address" diversion method is described, for example, in paragraphs 0254-0255 et seq. in 
the present patent application. 

There is no teaching or suggestion in either Jungck or Davies of assigning two 
addresses to any sort of network element, let alone using the two addresses in the sort of 
diversion scheme that is recited in claim 15 . The Examiner held that Jungck teaches the 
limitations of this claim in col. 27, lines 34-51, and col. 28, lines 21-39. The cited 
passages refer to isolating subscribing servers from network traffic based on source or 
destination IP addresses (col. 27, lines 38-43, and col. 28, lines 31-34), but do not even 
hint that multiple addresses might be assigned to these servers for any purpose. 

Therefore, claim 15 is independently patentable over the cited art. 

IX. Dependent Claim 16 

Appellant respectfully submits that even if claim 1 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 16. 

Claim 16 depends from claim 10, which depends from claim 1, and adds the 
limitation that the diverting step includes redirecting traffic using Policy Based Routing. 
This is a specific type of routing, which is known in the art, based on the incoming 
interface card of the diverting router, as explained in paragraphs 0267-0268 of the 
present patent application. Neither Jungck nor Davies makes any mention or suggestion 
of Policy Based Routing as a possible basis for traffic redirection. 

The Examiner held that Jungck teaches the limitations of claim 16 in col. 27, line 
13. This passage simply mentions that Jungck's edge cache 604 may be coupled with 
routing equipment so as to intercept network traffic. It makes no mention or suggestion 
of any sort of routing policy. 

Therefore, claim 16 is independently patentable over the cited art. 
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X. Dependent Claims 20 and 60 

Appellant respectfully submits that even if independent claims 1 and 56 were 
conceded to be obvious over the cited art, Jungck and Davies still fail to teach or 
suggest the added limitations of claims 20 and 60. 

Claim 20 depends from claim 5, which depends from claim 4, which depends 
from claim 1, and adds the limitation that packets with spoofed source addresses are 
detected by executing a verification protocol with sources of diverted traffic. Traffic 
from sources that correctly comply with the verification protocol is passed to the victim. 
Claim 60 depends from claim 59, which depends from claim 56, and recites that a 
protocol handshake is initiated between a guard machine and one or more of the source 
addresses in order to determine spoofed source addresses. In other words, in both of 
claims 20 and 60, a guard or filtering element interacts with the source of diverted 
traffic using a certain protocol in order to determine whether the source address is 
spoofed. Neither Jungck nor Davies teaches or suggests any sort of verification 
protocol or protocol handshake that might be executed with a traffic source in order to 
detect spoofed source addresses. 

In rejecting claim 20, the Examiner made reference to a verification procedure 
that is purportedly described by Jungck in col. 28, lines 47 et seq. As explained earlier, 
this passage refers to detecting malicious program code (lines 51-57) and to detecting 
data packets with implausible origin addresses (lines 57-62). It makes no mention of 
any sort of protocol that could be used for these purposes, and certainly does not suggest 
executing a verification protocol or a protocol handshake with a source address that 
might be spoofed , as recited in claims 20 and 60. 

Therefore, claims 20 and 60 are independently patentable over the cited art. 

XL Dependent Claims 35, 54 and 57 

Appellant respectfully submits that even if independent claims 1 and 56 were 
conceded to be obvious over the cited art, Jungck and Davies still fail to teach or 
suggest the added limitations of claims 35, 54 and 57. 
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Claim 35, for example, depends from claim 33, which depends from claim 1, and 
adds the limitation that any of the traffic pattern and volume is determined during a 
period when the victim is not in an overload condition, for comparison with any of the 
traffic pattern and volume in the filtering step (of claim 1) upon detecting the anomalous 
traffic condition. Neither Jungck nor Davies teaches or suggests this sort of traffic 
comparison. 

The Examiner maintained that Jungck teaches the limitations of claim 35 in col. 
29, lines 22-64. The cited passage, however, has nothing to do with determining traffic 
patterns or volumes, and does not even hint at comparing traffic patterns or volumes 
under different traffic conditions. Jungck decides which packets to pass to the edge 
cache or to discard based solely on individual packet characteristics , such as whether the 
packet originated upstream or downstream (lines 31-38) or contains a request that can 
be handled by the edge cache (lines 46-48), or contains malicious code (col. 28, lines 
51-57). Jungck makes no mention of traffic pattern or volume, and thus cannot possibly 
be taken to teach or suggest comparing traffic patterns or volumes from different 
periods as recited in claim 35. 

Davies, as noted above, mentions measurement of typical traffic levels for 
purposes of determining alternative links for express routes (col. 5, lines 48-51). There 
is no teaching or suggestion in Davies, however, of comparing traffic patterns or 
volumes from different periods as part of a traffic filtering step or for any other purpose . 

Claims 54 and 57, which respectively depend from claims 1 and 56, recite that an 
expected pattern of traffic is learned while the victim is not under attack, and that an 
anomalous traffic condition or attack is detected when the traffic differs from the 
expected pattern. As explained above, neither Jungck nor Davies teaches detecting any 
sort of difference in traffic patterns over time. 

Thus, for the reasons explained above, claims 35, 54 and 57 are independently 
patentable over the cited art. 
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XII Dependent Claims 47 and 50 

Appellant respectfully submits that even if independent claims 46 and 49 were 
conceded to be obvious over the cited art, Jungck and Davies still fail to teach or 
suggest the added limitations of claims 47 and 50. Both of these claims recite a 
termination detection module, which participates in determining when the overload 
condition has ended. This function is described, for example, in paragraph 0296 of the 
present patent application. Termination detection is useful in determining when to cease 
traffic diversion and/or filtering so as to optimize resource use and avoid unnecessary 
limitations on network throughput. 

There is no mention or suggestion in either Jungck or Davies of any sort of 
method or mechanism that could be used to determine that an overload condition (such 
as might occur in a DDoS attack) has terminated. The Examiner maintained that Jungck 
discloses the limitations of claims 47 and 50 in col. 28, line 47 - col. 29, line 10. The 
cited passage, however, refers simply to value-added services that the edge server 602 
can perform on intercepted traffic (col. 28, lines 47-48). These services are not 
dependent on overload conditions for origination, and termination of an overload 
condition would therefore be irrelevant to the operation of the edge server. The 
Examiner has failed to identify any component in Jungck or Davies that could be 
considered to determine when an overload condition has ended . 

Therefore, claims 47 and 50 are independently patentable over the cited art. 

XIII Dependent Claim 51 

Appellant respectfully submits that even if independent claim 49 were conceded 
to be obvious over the cited art, Jungck and Davies still fail to teach or suggest the 
added limitations of claim 5 1 . 

Claim 51 depends from claim 49, and adds the limitation that at least one of the 
guards comprises an ingress filter, coupled to the statistical module, which generates 
and transmits to another network element rules for blocking traffic on the network. 
Neither Jungck nor Davies teaches or suggests generation and transmission of any sorts 
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of rules among network elements, let alone rules for blocking traffic, as recited in claim 
51. 

In rejecting claim 51, the Examiner cited col. 29, lines 11-64, in Jungck. The 
cited passage refers to the operation of the request filter 606, which includes "ingress 
filtering" (line 24), based on whether packets originated upstream or downstream from 
the edge server (lines 31-38). Jungck does not even hint, however, that the request filter 
might generate rules or transmit them to other network elements. Furthermore, since 
Jungck does not describe a statistical module (or any other module that might be 
considered to perform a statistical function), he cannot possibly be taken to suggest that 
the ingress filter be coupled to a statistical module, as required by claim 5 1 . 

Therefore, claim 51 is independently patentable over the cited art. 

XIV. Dependent Claim 53 

Appellant respectfully submits that even if claim 1 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 53. This claim recites diverting all of the traffic destined for the victim upon 
detecting the anomalous traffic condition. 

The Examiner gave no specific grounds for the rejection of claim 53, other than 
the blanket statement that it contains "the same language of the claims already discussed 
above." This statement is incorrect. None of the claims discussed above says anything 
about diverting all of the traffic that is destined for the victim, as recited in claim 53. 
This added limitation is neither taught nor suggested by the cited art. On the contrary, 
Jungck and Davies describe methods and systems in which only certain traffic is 
diverted , depending on the originating address or packet content, for example. 

Therefore, claim 53 is independently patentable over the cited art. 

XV. Dependent Claim 55 

Appellant agrees with the Examiner's statement on page 9 of the Official Action 
that claim 55 recites allowable subject matter (contrary to the apparent rejection of the 
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claim on page 2). In view of the patentability of claim 1, from which claim 55 depends, 
Appellant believes the objection to claim 55 should be withdrawn. 

XVI. Dependent Claims 59 and 62 

Appellant respectfully submits that even if independent claim 56 were conceded 
to be obvious over the cited art, Jungck and Davies still fail to teach or suggest the 
added limitations of claim 59 and 62. These claims depend from claim 56 (directly or 
indirectly), and add the limitation that data packets with certain source addresses are 
discarded before performing a statistical analysis of the diverted traffic. In claim 59, 
packets with spoofed source addresses are discarded, while in claim 62, it is the packets 
that have source addresses that are associated with an anomalous traffic flow pattern 
that are discarded before the statistical analysis. 

The Examiner gave no specific grounds for the rejection of claims 59 and 62, 
other than the same blanket statement that they contain "the same language of the 
claims already discussed above." This statement is incorrect. None of the claims 
discussed above says anything about discarding certain data packets before performing 
a statistical analysis . This added limitation is neither taught nor suggested by the cited 
art. Jungck may mention eradicating packets, but does not hint at any sort of statistical 
analysis. Davies may measure typical traffic levels, but does not suggest discarding 
packets either before or after the analysis. There is nothing in the prior art that would 
have motivated a person of ordinary skill to discard a certain portion of the diverted 
traffic before performing a statistical analysis of the diverted traffic, as recited in claims 
59 and 62. 

Therefore, claims 59 and 62 are independently patentable over the cited art. 

XVII. Dependent Claim 63 

Appellant respectfully submits that even if claim 62 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 63. This claim depends from claim 62 and recites that after discarding diverted 
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packets that have a source address that is associated with an anomalous flow pattern, the 
diverted traffic is processed so as to detect and discard data packets with spoofed source 
addresses. In other words, there are two distinct discard stages before the statistical 
analysis: (1) packets with source addresses associated with anomalous flow patterns, 
and (2) packets with spoofed source addresses. 

The Examiner again gave no specific grounds for the rejection of claim 63, other 
than the blanket statement that it contains "the same language of the claims already 
discussed above." This statement is incorrect. None of the claims discussed above says 
anything about carrying out two distinct packet discard stages before performing 
statistical analysis. There is no disclosure or suggestion of this sort of two-stage discard 
in the cited art. 

Therefore, claim 63 is independently patentable over the cited art. 

XVIII. Dependent Claim 65 

Appellant respectfully submits that even if claim 56 were conceded to be obvious 
over the cited art, Jungck and Davies still fail to teach or suggest the added limitations 
of claim 65. This claim depends from claim 56 and adds the limitation that the 
statistical analysis includes classifying traffic according to types of users that generated 
the traffic. 

The Examiner gave no specific grounds for the rejection of claim 65, other than 
the blanket statement that it contains "the same language of the claims already discussed 
above." This statement is incorrect. None of the claims discussed above says anything 
about classifying traffic by user type. The only sort of traffic classification in Jungck 
and Davies is by address. 

Therefore, claim 65 is independently patentable over the cited art. 

XIX. Dependent Claim 68 

Appellant respectfully submits that even if independent claim 66 were conceded 
to be obvious over the cited art, Jungck and Davies still fail to teach or suggest the 
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added limitations of claim 68. This claim depends from claim 66 and adds the 
limitation that after the guard machine filters the diverted traffic, the filtered traffic is 
passed back from the guard machine to the network switch for transmission to the 
victim. 

The Examiner gave no specific grounds for the rejection of claim 68, other than 
the blanket statement that it contains "the same language of the claims already discussed 
above." This statement is incorrect. None of the claims discussed above says anything 
about passing filtered traffic back through a network switch that previously diverted the 
traffic in order to transmit the filtered traffic to its original destination, as recited in 
claim 68. 

Therefore, claim 68 is independently patentable over the cited art. 



Summary 

For the foregoing reasons, Appellant submits that the Examiner's rejection of 
claims 1-8, 10, 11, 13-16, 20, 33, 35 and 46-69 was erroneous. Reversal of his decision 
is respectfully requested. 

Respectfully submitted, 
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APPENDIX A 

Claims pending as of the present date: 

1. A method of responding to an overload condition at a network element 
("victim") in a set of one or more potential victims on a network, the method comprising 
the steps of 

A. responsively to an indication of an anomalous traffic condition, initiating 
diversion of traffic destined for the victim by a first set of one or more network elements 
external to the set of one or more potential victims to a second set of one or more 
network elements external to the set of one or more potential victims, 

B. the element(s) of the second set filtering traffic diverted in step A ("diverted 
traffic") and selectively passing a portion thereof to the victim. 

2. A method according to claim 1, wherein the initiating step includes effecting a 
path of traffic that differs from a path that traffic would otherwise take to the victim. 

3 . A method according to claim 1 , wherein 

the filtering step includes detecting any of (i) a traffic pattern that differs from an 
expected pattern and (ii) traffic volume that differ from expected volume, the detecting 
step includes determining whether any of the traffic pattern and volume varies 
statistically significantly. 
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4. A method according to claim 1, wherein the filtering step includes detecting 
suspected malicious traffic. 

5. A method according to claim 4, wherein the detecting step includes detecting 
packets with spoofed source addresses. 

6. A method according to claim 1, wherein the filtering step includes detecting 
traffic requiring a selected service from the victim. 

7. A method according to claim 6, wherein the filtering step includes discarding 
traffic not requiring the selected service from the victim. 

8. A method according to claim 7, wherein the filtering step includes discarding 
any of UDP and ICMP packet traffic. 

10. A method according to claim 1, comprising operating one or more elements of 
the first set at points on the network around the set of one or more potential victims. 

11. A method according to claim 10, comprising operating one or more elements of 
the second set any of adjacent to or external to one or more elements of the first set. 
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13. A method according to claim 10, wherein the anomalous traffic condition is 
indicative of a distributed denial of service (DDoS) attack. 

14. A method according to claim 10, comprising selectively activating the one or 
more elements of the first set by declaring a network address of the victim to be close in 
network distance to one or more elements of the second set. 

15. A method according to claim 10, comprising associating the victim with first 
and second addresses, and wherein the filtering step includes 

discarding traffic received external to an area defined by the points directed to 
the first address, and 

passing to the victim traffic received external to an area directed to the second 
address. 

16. A method according to claim 10, wherein the diverting step includes redirecting 
traffic using Policy Based Routing. 

20. A method according to claim 5, wherein detecting the packets with spoofed 
source addresses comprises executing a verification protocol with sources of the 
diverted traffic, and wherein the passing step includes passing to the victim traffic from 
a source that correctly complies with the verification protocol. 
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33. A method according to claim 1, wherein the filtering step includes statistically 
measuring any of a traffic pattern and volume so as to identify any of a source and a 
type of the overload condition. 

35. A method according to claim 33, comprising determining any of the traffic 
pattern and volume during a period when the victim is not in the overload condition, for 
comparison with any of the traffic pattern and volume in the filtering step upon 
detecting the anomalous traffic condition. 

46. A network element for use in protecting against an overload condition on a 
network, the network element comprising: 

an input for receiving traffic diverted from the network, the traffic comprising 
flows of data packets having respective source addresses; 

a statistics module that is arranged to perform a statistical analysis of the 
diverted traffic so as to detect an anomalous pattern of a flow associated with at least 
one of the source addresses; 

a filter, which is operative, responsively to detection of the anomalous pattern, to 
block at least a portion of the data packets having the at least one of the source 
addresses; and 

an output coupled to the input for selectively passing on to further elements in 
the network traffic not blocked by the filter. 
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47. A network element according to claim 46, comprising a termination detection 
module that at least participates in determining when the overload condition has ended. 

48. A network element according to claim 46, comprising an antispoofing element 
that performs at least one of authenticating and verifying a source of traffic. 

49. A system for use in protecting against an overload condition on a network, the 
system comprising: 

one or more network elements ("guards") disposed on the network, each network 
element having 

an input for receiving traffic from the network, 

a filter coupled to the input, the filter selectively blocking traffic 
originating from a source suspected as potentially causing the overload 
condition, 

a statistics module that is coupled to the filter and that identifies the 
traffic statistically indicative of having originated from the source suspected as 
potentially causing the overload condition, and 

an output coupled to the input for selectively passing on to further 
elements in the network traffic not blocked by the filter, 

one or more further network elements ("diverters") disposed on the network and 
in communication with the guards, the further network elements selectively initiating, 
responsively to detection of an anomalous traffic condition, diversion to at least one of 
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the guards traffic otherwise destined for a still further network element ("victim") in a 
set of one or more potential victims on the network. 

50. A system according to claim 49, wherein at least one of the guards comprises a 
termination detection module that at least participates in determining when the overload 
condition has ended. 

51. A system according to claim 49, wherein at least one of the guards comprises an 
ingress filter, coupled to the statistics module, that generates and transmits to a further 
network element on the network rules for blocking traffic on the network. 

52. A system according to claim 49, comprising an antispoofing element that any of 
authenticates and verifies a source of traffic. 

53. A method according to claim 1, wherein diverting the traffic comprises diverting 
all of the traffic destined for the victim upon detecting the anomalous traffic condition. 

54. A method according to claim 1, and comprising learning an expected pattern of 
the traffic while the victim is not under attack, wherein detecting the anomalous traffic 
condition comprises determining that the traffic differs significantly from the expected 
pattern. 
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55. A method according to claim 2, wherein the first set of one or more network 
elements comprises network switches having respective ports, comprising at least one 
switch that is configured to route the traffic to the victim through a first port while the 
victim is not under attack, and wherein effecting the path comprises instructing the at 
least one switch to route the traffic destined for the victim through a second port, to 
which at least one of the network elements in the second set is coupled. 

56. A method of responding to an overload condition at a network element 
("victim") in a set of one or more potential victims on a network, the method 
comprising: 

diverting to a guard machine traffic destined for the victim, the traffic 
comprising flows of data packets having respective source addresses; 

performing a statistical analysis of the diverted traffic at the guard machine so as 
to detect an anomalous pattern of a flow associated with at least one of the source 
addresses; and 

responsively to detecting the anomalous pattern, preventing at least a portion of 
the data packets having the at least one of the source addresses from reaching the victim 
while passing to the victim at least some of the data packets from other source 
addresses. 

57. A method according to claim 56, wherein performing the statistical analysis 
comprises learning an expected traffic pattern of the flows while the victim is not under 
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attack, and detecting an attack by determining that the anomalous pattern differs from 
the expected traffic pattern. 

58. A method according to claim 56, wherein performing the statistical analysis 
comprises detecting any of a traffic volume, port number distribution, periodicity of 
requests, packet properties, IP geography, and distribution of packet arrival/size. 

59. A method according to claim 56, and comprising processing the diverted traffic 
so as to detect and discard the data packets that have one or more spoofed source 
addresses before performing the statistical analysis. 

60. A method according to claim 59, wherein processing the diverted traffic 
comprises initiating a protocol handshake between the guard machine one or more of 
the source addresses in order to determine that the one or more of the source addresses 
are spoofed. 

61. A method according to claim 56, wherein preventing at least the portion of the 
data packets comprises filtering out the diverted packets that have the at least one of the 
source addresses. 

62. A method according to claim 61, wherein filtering out the diverted packets 
comprises discarding the diverted packets that have the at least one of the source 
addresses before performing the statistical analysis on the diverted traffic that remains 
after the discarding. 
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63. A method according to claim 62, and comprising processing the diverted traffic 
after discarding the diverted packets that have the at least one of the source addresses so 
as to detect and discard the data packets that have one or more spoofed source addresses 
before performing the statistical analysis. 

64. A method according to claim 56, wherein performing the statistical analysis 
comprises at least one of analyzing one or more of netflow data, server logs, victim 
traffic, and traffic volume, and classifying the statistical analysis according to types of 
users that generated the traffic. 

65. A method according to claim 56, wherein performing the statistical analysis 
comprises classifying the traffic according to types of users that generated it. 

66. A method of responding to an overload condition at a network element 
("victim") in a set of one or more potential victims on a network, the method 
comprising: 

coupling the victim to receive traffic from the network via a first port of a 
network switch; 

actuating the network switch to divert the traffic destined for the victim to a 
second port to which a guard machine is coupled; 

filtering the diverted traffic using the guard machine; and 
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selectively passing at least a portion of the filtered traffic from the guard 
machine to the victim. 

67. A method according to claim 66, wherein the network switch comprises a 
router. 

68. A method according to claim 66, wherein selectively passing at least the portion 
of the filtered traffic comprises passing the filtered traffic from the guard machine to the 
network switch, for transmission to the victim via the first port. 

69. A method according to claim 66, wherein filtering the diverted traffic comprises 
performing a statistical analysis of the diverted traffic so as to detect an anomalous 
pattern of a flow associated with at least one source address of the traffic, and 
responsively to detecting the anomalous pattern, preventing at least a portion of the data 
packets having the at least one source address. 
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APPENDIX B - EVIDENCE 

None presented. 
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APPENDIX C - RELATED PROCEEDINGS 

None. 
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